MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a99b696e8ac16303843b26c95c982d5be9b9fd657d843937cc586c9a8dc29b83. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a99b696e8ac16303843b26c95c982d5be9b9fd657d843937cc586c9a8dc29b83
SHA3-384 hash: fe77e869402e51867546996633774d3df5884ea755ab4090ab8736364816ef2e509520f51aea7219cec0d2d6ccd77f18
SHA1 hash: a23d20eba03efd6f428b0c6f1afbe47dccfe8c68
MD5 hash: 1caacec9442e87e867993c5dd722410e
humanhash: california-twelve-enemy-double
File name:new product order.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:859'648 bytes
First seen:2021-09-20 18:28:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:eBGiY6H+Fu7NcoGvW5yXMqfgpLYmKjwmbu9Q30+tmtiK5oMzrUQ:eA6eFuegxqfILvK8G0C+FoMzD
Threatray 9'431 similar samples on MalwareBazaar
TLSH T1A605D0202364C26AE1FBE778D432D471CB7EE986A036D95A6DC3D9DA0D25341C11BF2B
File icon (PE):PE icon
dhash icon a6591878d162e41b (9 x AgentTesla, 7 x Formbook, 2 x SnakeKeylogger)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
212
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
new product order.exe
Verdict:
Malicious activity
Analysis date:
2021-09-20 18:30:15 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/0ce948a6-a286-4bf1-adc8-de622dd441a1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/189580/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Creating a window
Enabling autorun with the shell\open\command registry branches
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/468fa95d-8a1b-4806-b0ad-5211640736f7
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/854359
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 486791 Sample: new product order.exe Startdate: 20/09/2021 Architecture: WINDOWS Score: 100 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Multi AV Scanner detection for dropped file 2->48 50 10 other signatures 2->50 10 new product order.exe 3 7 2->10         started        process3 file4 32 C:\Users\user\AppData\Roaming32PWwYvf.exe, PE32 10->32 dropped 34 C:\Users\user\AppData\Local\...\tmp5AC9.tmp, XML 10->34 dropped 36 C:\Users\user\...\new product order.exe.log, ASCII 10->36 dropped 62 Injects a PE file into a foreign processes 10->62 14 new product order.exe 10->14         started        17 schtasks.exe 1 10->17         started        signatures5 process6 signatures7 64 Modifies the context of a thread in another process (thread injection) 14->64 66 Maps a DLL or memory area into another process 14->66 68 Sample uses process hollowing technique 14->68 70 Queues an APC in another process (thread injection) 14->70 19 explorer.exe 14->19 injected 23 conhost.exe 17->23         started        process8 dnsIp9 38 www.tamaralocke.com 154.222.115.69, 49804, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 19->38 40 www.expertchimneyhob.com 19->40 42 expertchimneyhob.com 34.98.99.30, 49802, 80 GOOGLEUS United States 19->42 52 System process connects to network (likely due to code injection or exploit) 19->52 25 chkdsk.exe 19->25         started        signatures10 process11 signatures12 54 Self deletion via cmd delete 25->54 56 Modifies the context of a thread in another process (thread injection) 25->56 58 Maps a DLL or memory area into another process 25->58 60 Tries to detect virtualization through RDTSC time measurements 25->60 28 cmd.exe 1 25->28         started        process13 process14 30 conhost.exe 28->30         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a99b696e8ac16303843b26c95c982d5be9b9fd657d843937cc586c9a8dc29b83/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-20 17:55:06 UTC
AV detection:
23 of 45 (51.11%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vgnws3ukyfrqhbb3e3evzgbnlpu3t7lfpwcdsn6mlbwjvdoctobq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0c3748f23fb4ade0edb0e497f0f39adc528cec04ac7530e15e3f5baad6b69567
Formbook
320dab87aef07c03720923504dd0506f7d3e67de57b0067ebf0694966982db89
Formbook
6bcdb1b6795c22308aee5d390cfae409d21a3238a304466dd54c1dee43570afd
Formbook
84f70255bf8ae21b26cf03d2776784c32727ae97e1c901fa16cad311cd5c096a
Formbook
92b86a3617c61eedc7c080cf52283c060da54017337b6376790e5a34a360fdfa
Formbook
ae33000cbdc7cc10a8d86ce07727c8159d66a6707e2a453d996dc61c709de96f
Formbook
b5ac8902c4d239f5f72366876e99a586d3aaafe45c9a9e098c8ded9a2db7615c
Formbook
d0116b0ea676a655b1d55a2b7a79fb2585c1d04803e9d1d6f9cd1da15f789138
Formbook
d2d6a8c31acdd92eb9a005e2fac8838a382ab0425fc01bc88616bda185ab7b4c
Formbook
d39ec2fb7fa07bb6886173571262d2324d96b6e879ccc4f2cea46ece183e576a
Formbook
+ 9'421 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:cnpr rat spyware stealer trojan
Link:
https://tria.ge/reports/210920-w4ww2afaa4/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.xn--yeniyaam-swb.com/cnpr/
Unpacked files
SH256 hash:
3e79d58eccc73f2f2ba733f1592ed03197bd03dce392775dbb391b64bf9ebc87
MD5 hash:
fd37373e469c3f71e44916e76f8f5165
SHA1 hash:
c8a53d90e486cd65f44a764a6bf3618ad5371be5
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/d0e00742-b292-4da4-bc06-c4452f6bb11d/
Parent samples :
a99b696e8ac16303843b26c95c982d5be9b9fd657d843937cc586c9a8dc29b83
b11a7103f96fb02a8df7ad0e821f0083f48f56cc38df47d8573f39c0d4a19235
SH256 hash:
cac8b347040a359c02ae5e658d3d76230c7dd7eb33505605ed0b9bc49ff268c7
MD5 hash:
71a894ff252c767b80d65ab1e54fda2b
SHA1 hash:
bcc4ff628585ca28b8b0f2c30e63049b910d4d49
Link:
https://www.unpac.me/results/d0e00742-b292-4da4-bc06-c4452f6bb11d/
SH256 hash:
9bfcfbe211d9351c7ddc95db347534c4168a2d9f567b32a22bc5d0006c3827ea
MD5 hash:
393cf25d0385b68cd794b2d64be135b1
SHA1 hash:
6818d3e12e7645f3f411efaf59868eff717ba803
Link:
https://www.unpac.me/results/d0e00742-b292-4da4-bc06-c4452f6bb11d/
SH256 hash:
c2fb55622acbfe91f5f166bc36896e4873f4101b8e33009a5b5dcaf8ea9bcf61
MD5 hash:
c3a45780a7afcc47ee42225c0df26a61
SHA1 hash:
5539402d60362226faf28930bc1e3ae8f6dfd167
Link:
https://www.unpac.me/results/d0e00742-b292-4da4-bc06-c4452f6bb11d/
SH256 hash:
a99b696e8ac16303843b26c95c982d5be9b9fd657d843937cc586c9a8dc29b83
MD5 hash:
1caacec9442e87e867993c5dd722410e
SHA1 hash:
a23d20eba03efd6f428b0c6f1afbe47dccfe8c68
Link:
https://www.unpac.me/results/d0e00742-b292-4da4-bc06-c4452f6bb11d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a99b696e8ac16303843b26c95c982d5be9b9fd657d843937cc586c9a8dc29b83

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe a99b696e8ac16303843b26c95c982d5be9b9fd657d843937cc586c9a8dc29b83

(this sample)

  
Dropped by
formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/189580/

Comments